Network Security Deployment (NSD) National Cybersecurity Protection System (NCPS)

11 July 2012

Presenter’s Name June 17, 2003

What is the NCPS? National Cybersecurity Protection System (NCPS) is the program of record within the

Department of Homeland Security for satisfying the goals of the CNCI; it is how the Department defines and manages its technology investment against requirements, cost, and schedule It is synonymously referred to as EINSTEIN in the press and outreach briefings

NCPS provides a wide range of cyber security capabilities for the Federal Executive Branch government networks (.gov domain), including: Intrusion detection (passive defense)

Intrusion prevention (active defense)

Advanced cyber analytics Data aggregation & correlation Visualization Malware analysis Packet Capture

Incident Management

Information sharing and collaboration

This range of capabilities supports US-CERT operations and helps prevent cyber attacks on the .gov domain and/or reduces the time to respond to and recover from cyber attacks when they occur.

2

Presenter’s Name June 17, 2003

NCPS Capabilities Breakdown

NCPS consists of a series of incremental “Block” programs

Each “Block” includes an “EINSTEIN” component that encompasses a specific cybersecurity capability

Blocks serve as the mechanism for governing acquisition of the program within DHS

Einstein 1

Einstein 2

Einstein 3 Accelerated

• Incident Handling • Malware Lab • Advanced Analytics

3

Presenter’s Name June 17, 2003

NCPS Intrusion Detection (Block 2.0) Capabilities

Description: Passive, signature-based Intrusion Detection System (IDS) capabilities to help protect Federal

Executive Branch government networks. Block 2.0 capabilities include*: IDS sensors can be located at Department/Agency Trusted Internet Connection (TIC) , TIC Access Point

(TICAP) or Managed Trusted Internet Protocol Service (MTIPS) locations Sensor utilize taps; not in-line with data flow – MOAs govern NCPS bandwidth utilization Centralized data storage Visualization, correlation, knowledgebase, IDS and flow analysis tools Contextual data feeds

Block 2.0 subsumed Block 1.0 capabilities and also includes: Block 1.0 network flow sensors and data collection/analysis infrastructure Mission Operating Environment (MOE) Incident Management System (IMS) Public and secure web presences

Goals: Deploy flow collectors and IDS sensors to cover all Federal Government Civilian Department and

Agency network traffic Improve detection, prevention and notification of cyber incidents

4

Presenter’s Name June 17, 2003

NCPS System Enhancement (Block 2.0.x) Capabilities Block 2.0.x capabilities provide enhancements to EINSTEIN 2 capabilities that include:

Packet Capture (PCAP) Description: An environment for collecting, analyzing, and storing the “payload” data from network traffic. Goal: Provide the ability to conduct deep packet inspection of suspicious malicious traffic

Malware Analysis Center Description: An environment that supports secure automated submission and analysis of malware Goals:

Provide an isolated environment for the safe submission of malware samples Support automated analysis and storage of malware samples Provide an unattributable network to support malware research

Enhanced Analytics Description: High input/output relational database and visualization tools that support queries on and

visualizations of very large datasets Goal:

Significantly reduce the amount of effort and time to analyze large data sets and produce cyber analytics reports Enrich analysis with a wide range of commercial, open source, and organic threat feeds and data sources

Incident Management System Description: Replacement of US-CERT’s existing incident management system (a highly customized

proprietary application) with an open source cyber incident tracking application Goals:

Simplify data input and better align incident management processes with US-CERT’s cyber analysis processes Improve system performance Support standards-based, machine-to-machine ticket exchanges with Departments/Agencies and other CIRTs

5

Presenter’s Name June 17, 2003

NCPS System Enhancement (Block 2.0.x) Capabilities (cont.) Additional Block 2.0.x capabilities: Cyber Indicators Repository (CIR) - Formerly known as External Indicators & Warnings (E-I&W)

Description: An external facing application that allows US-CERT and its D/A partners to share indicators (DNS, email, file hash values, etc.) related to malicious network traffic

Goals Provide a central repository for the cyber community for indicators and warnings data Protect attribution through strict access controls and rules on how summary information is reported

Cyber Indicators Analysis Platform (CIAP) - Formerly known as Internal Indicators & Warnings (I-I&W)

Description: An internal application used to support cyber indicator analysis and serve as US-CERT’s authoritative source for cyber indicators

Goals Support internal analysis through the flexible association of structured and unstructured data, as well as context-

sensitive relationships that may change over time Integrate CIAP and CIR (ingest new indicators from CIR; export finished products from CIAP to CIR)

CyberScope Description: A DOJ-developed system that is used to automate FISMA reporting and

support continuous monitoring of the installed base of Federal Government (.gov) information technology assets.

Goals Assume management control of the application and migrate it from a DOJ Data Center to DHS Data Centers Improve support for automated data feeds (e.g., incorporate additional SCAP-based feeds, increase frequency to

real-time reporting, etc.)

6

Presenter’s Name June 17, 2003

NCPS System Enhancement (Block 2.0.x) Capabilities (cont.) Additional Block 2.0.x capabilities: US-CERT Public web site*

Description: A publically-accessible web site, hosted at the Software Engineering Institute, that provides high-level information about cyber threats

Goals Provide a mechanism for sharing cyber threat advisories and cyber security best practices with the

general public Provide a mechanism for submission of cyber incidents and malware by private citizens Migrate the capability to a DHS Data Center

US-CERT HSIN Portal* Description: A secure portal, hosted by the NC4 Corporation, that is used by DHS and it’s

cyber partners to support information sharing Goal

Support two-factor authentication Provide multiple secure compartments to support collaboration with limited communities Provide tools to support real time and asynchronous collaboration with trusted partners Provide mechanisms for sharing cyber data feeds and analytic tools Migrate the capability to a DHS Data Center

* These capabilities were originally developed under Block 2.0, but will eventually be subsumed by Block 2.2

7

Presenter’s Name June 17, 2003

NCPS Analytic (Block 2.1) Capabilities – Security Information & Event Management (SIEM) Description:

A Security Information and Event Management (SIEM) capability for normalizing and correlating disparate data source events and providing threat visualization, analytics, and reporting services

Currently utilizes the following data sources: Netflow data Netflow data tagging IDS alerts US-CERT watch lists Commercial threat feeds

Goals: Improve detection, prevention and notification of cyber incidents Improve correlation, aggregation, and visualization of cybersecurity data

8

Presenter’s Name June 17, 2003

NCPS Information Sharing (Block 2.2) Capabilities Description:

A secure environment for sharing cybersecurity information, at all classification levels, with a wide range of security operations and information sharing centers across federal, state/local/tribal, private, and international boundaries

The Information Sharing capability will include the following capabilities: Web-based services that support the exchange and analysis of cyber security information via

standardized interfaces Content/document management Asynchronous collaboration (e.g., workspaces) Real time collaboration (e.g., instant messaging, desktop sharing, and white boarding) Two-factor authentication and Identity Management (role-based access control) Federated search

Goals: Prevent cyber incidents from occurring through improved sharing of threat information Reduce the time to respond to incidents through improved coordination and collaboration

capabilities Improve efficiencies through the use of more automated information sharing and through the

exposure of analytics capabilities Improve information sharing of cybersecurity activity

KPP 5: Provide data-sharing between all participating agencies on known cyber events within 30 minutes of event detection

KPP 6: Provide information-sharing between all participating agencies on known cyber events within 30 minutes of event detection

9

Presenter’s Name June 17, 2003

Block 2.2: Information Sharing System – Operational View

10

Presenter’s Name June 17, 2003

NCPS Intrusion Prevention (Block 3.0) Capability Description

An active intrusion prevention capability that conducts threat-based decision making on network traffic entering or leaving the Federal Executive Branch civilian networks and disables attempted intrusions before harm is done

Top Secret Mission Operating Environment (MOE) at NCPS Operations and Data Centers Classified and unclassified signatures and countermeasures Back-end data storage and data processing capabilities located at DHS Data Centers

Goals Increase the volume of DHS monitored Federal traffic Provide the ability to prevent, terminate, or mitigate risks from malicious traffic Improve detection, prevention, and notification of cyber events

11